routing all trafic passthrough wireguard via wifi station

nordlead75 · May 5, 2024, 4:17pm

Hello
Ever, thank you to help me

This is my network

Laptop → Wireguard1 → Gateway1 → internet → Wan ———Gateway2—————-Lan—> Wifi Station ——————> Gateway4G → PUBLIC IP1
-----------------------------Wireguard2——————————> Wireguard2
----------------------------------------------------------------------Wireguard3———————> WIREGUARD3 PUBLIC IP2
Laptop —via Wireguard1————————That I Want——————————————— > WIREGUARD3 PUBLIC IP2

I Would like to connect with my laptop on Gateway1 with Wireguard1 and I want that my public ip is Wireguard3

Actually its ok for this
Laptop → Wireguard1 → Gateway1 → internet → Gateway2 → Wifi Station → Gateway4G → PUBLIC IP1
----------------------------------------------------------Wireguard2———————————> Wireguard2
Laptop —via Wireguard1—————————————————-————————————> PUBLIC IP1

So when I try to use PUBLIC IP2 , Wireguard3 connect since Wan Gateway2 and not via PUBLIC IP1

To resume I want redirect all trafic on Wireguard3 via Gateway2 (Wifi Station) and not Gateway2(Wan)

I try to use Vrf

Gateway2 is mAntBox

# 2024-05-05 18:10:36 by RouterOS 7.14.3
# software id = 5BPS-L66T
#
# model = RBD22UGS
# serial number = XXXXXXXX
/interface bridge
add admin-mac=2C:C8:XXXXXA auto-mac=no comment=defconf name=Bridge
add name=Bridge_Wifi
/interface wireguard
add listen-port=51003 mtu=1420 name=Wireguard_1
add listen-port=13231 mtu=1420 name=Wireguard_3
add listen-port=51000 mtu=1420 name=Wireguard_Admin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=Key supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=france disabled=no frequency=2462 installation=outdoor name=Wifi_2G security-profile=Key ssid=Mobi1_2G
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=france frequency=auto installation=outdoor name=Wifi_5G security-profile=Key ssid=""
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip vrf
add interfaces=Wireguard_3 name=Vrf_3
add interfaces=Bridge_Wifi,Wireguard_1 name=Vrf_Bridge_Wifi
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=Bridge comment=defconf interface=ether1
add bridge=Bridge comment=defconf interface=sfp1
add bridge=Bridge_Wifi comment=defconf interface=Wifi_2G
add bridge=Bridge_Wifi comment=defconf interface=Wifi_5G
/interface wireguard peers
add allowed-address=10.1.1.2/32 endpoint-address=adm.XXXX endpoint-port=51000 interface=Wireguard_Admin persistent-keepalive=25s public-key=« XXXXXXXXX »
add allowed-address=0.0.0.0/0 endpoint-address=client1.XXXX endpoint-port=51003 interface=Wireguard_1 persistent-keepalive=25s public-key=« XXXXXXXXX »
add allowed-address=0.0.0.0/0 endpoint-address=31.XXXXX endpoint-port=51820 interface=Wireguard_3 persistent-keepalive=25s public-key="XXXXXXXXXXX"
/ip address
add address=10.1.1.4/29 interface=Wireguard_Admin network=10.1.1.0
add address=10.1.1.30/29 interface=Wireguard_1 network=10.1.1.24
add address=10.XXXX.227 interface=Wireguard_3 network=10.XXXX.227
/ip dhcp-client
add comment=defconf interface=Bridge
add interface=Bridge_Wifi
/ip firewall filter
add action=accept chain=input dst-address=10.1.1.4 in-interface=Wireguard_Admin src-address=10.1.1.2
add action=accept chain=forward
add action=accept chain=output
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=Wireguard_1 new-routing-mark=Vrf_Bridge_Wifi passthrough=yes src-address=10.1.1.26
add action=mark-routing chain=prerouting in-interface=Wireguard_3 new-routing-mark=Vrf_3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Bridge_Wifi
add action=masquerade chain=srcnat out-interface=Wireguard_3
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=Wireguard_3@Vrf_3 routing-table=Vrf_3 suppress-hw-offload=no
/system note
set show-at-login=no

Thanks a lot

anav · May 7, 2024, 3:41pm

Sorry very confusing… Can you draw a network diagram please…

Not sure which ones still valid…

Step1 - NETWORK DIAGRAM Provide a network diagram of your setup with enough detail so that the subnets (vlans), devices and their relationships are clearly established. If able, on the same, or perhaps separate diagram indicate the purpose of each port on your device. The network diagram provides the framework for the book which will help guide us towards a successful configuration.

NETWORK DIAGRAM APPS:
https://nulab.com/cacoo/
https://online.visual-paradigm.com/diagrams/solutions/free-network-diagram-software/
https://www.lucidchart.com/pages/
https://drawio-app.com/product/
https://www.diagrams.net/ (its older sibling soon to be discontinued https://drawio-app.com/product/)
( Other links for diagrams.net - https://www.youtube.com/watch?v=P3ieXjI7ZSk & https://www.youtube.com/watch?v=mpF1i9sfEJ0 )
https://sourceforge.net/projects/dia-installer/
https://www.yworks.com/products/yed (and icons for yed → https://github.com/danger89/yEd_cisco_network_icons )
https://www.libreoffice.org/discover/draw/

http://kilievich.com/fpinger/ - has a simple drawing program but not its main intent.

nordlead75 · May 7, 2024, 4:12pm

This is a small diagram
I would like to route all traffic to internet via wireguard 1 nexthop wireguard3
mantbox is router mode
laptop is connect to mantbox via wireguard1 and passthrough GW1 and GW2
so after i want that is passthrough wireguard3 to access on internet
to finaly WAN Ip is VPN

anav · May 8, 2024, 2:52pm

Okay lets break this down so it makes sense.
You want to establish a wireguard connection from your LAPTOP to the MT MANTBOX.

Does the mantbox have a public IP address associated with it, or is it connected to an ISP Router with a public IP and you can forward ports to the MANTBOX??

Then you want to connect the MANTBOX via third party VPN, to wireguard so that you can then push your laptop traffic out the internet of the third party VPN.

++++++++++++++++++++++++++++++++++++++

What I dont get is why you are showing a WG2 ??? What am I missing.

nordlead75 · May 9, 2024, 8:41am

Hello Thanks a lot for your answer
MANTBOX has a public IP via WIFI INTERNET ROUTER but not directly
Yes i want that my laptop has public ip of final VPN

anav · May 9, 2024, 7:45pm

Still not enough detail,

Please detail the relationship between every device in your diagram.
Right now it looks like the laptop is directly connected to GWY1, which is directly connected to GWY2 Which is directly connected to the MANTBOX, which is directly connected toa wifi AP router which is directly connected to A VPN box, which is directly connected to the internet.

So it begs the questions I ask, I have no clue what your network looks like.
So your saying the lapt is connected to WHAT? Where does it get its internet from presently.

What is the mant box connected to - Where does it get internet presently.